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Abstract. The length-based approach is a heuristic for solving 
randomly generated equations in groups that possess a reasonably 
behaved length function. We describe several improvements of the 
previously suggested length-based algorithms, which make them 
applicable to Thompson's group with significant success rates. In 
particular, this shows that the Shpilrain-Ushakov public key cryp- 
tosystem based on Thompson's group is insecure, and suggests 
that no practical public key cryptosystem based on the difficulty 
of solving an equation in this group can be secure. 



1. Introduction 

Noncommutative groups are often suggested as a platform for public 
key agreement protocols, and much research is dedicated to analyzing 
existing proposals and suggesting alternative ones (see, e.g., [U HI El [6j 
E, OH El EG] , and references therein) . 

One possible approach for attacking such systems was outlined by 
Hughes and Tannenbaum [B]. This approach relies on the existence of 
a good length function on the underlying group, i.e., a function £(g) 
that tends to grow as the number of generators multiplied to obtain 
g grows. Such a length function can be used to solve, heuristically, 
arbitrary random equations in the group [I]. 

In the case of the braid group, a practical realization of this approach 
was suggested in [4], and the method was extended in [5] to imply high 
success rates for subgroups of the braid group, which are of the type 
considered in some previously suggested cryptosystems (e.g., pQ). 

This length-based cryptanalysis usually has smaller success rates than 
specialized attacks, but it has the advantage of being generic in the 
sense that, if there is a good length function on a group, then the 
attack applies with nontrivial success rates to all cryptosystems based 
on this group (provided that an equation in the group can be extracted 
from the public information). 
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The main problem with existing length-based algorithms is that they 
tend to perform well only when the underlying subgroup has few rela- 
tions, i.e., it is not too far from the free group. This is not the case 
in Richard Thompson's group F, since it has a maximal set of rela- 
tions: Any nontrivial relation added to it makes it abelian [3]. In 2004, 
Shpilrain and Ushakov proposed a key exchange protocol that uses 
Thompson's group F as its platform and reported a complete failure 
of a length-based attack on their cryptosystem [TTJ. 

In the sequel we introduce several improvements to the length-based 
algorithms, which yield a tremendous boost in the success rates for full 
size instances of the cryptosystem. The generalized algorithms pre- 
sented here are not specific for Thompson's group, and would be useful 
in testing the security of any future cryptosystem based on combina- 
torial group theoretic problems. 

1.1. History and related works. The results reported here form 
the first practical cryptanalysis of the Shpilrain-Ushakov cryptosystem: 
The first version of our attack was announced in the Bochum Workshop 
Algebraic Methods in Cryptography (November 2005) [Sj. An improved 
attack was announced in the CGC Bulletin in March 2006 

While we were finalizing our paper for publication, a very elegant spe- 
cialized attack on the same cryptosystem was announced by Matucci 
[7]. The main contribution of the present paper is thus the general- 
ization of the length-based algorithms to make them applicable to a 
wider class of groups. Moreover, while our general attack can be easily 
adapted to other possible cryptosystems based on Thompson's group, 
this may not be the case for Matucci's specialized methods. 

2. The basic length-based attack 

Let G be a finitely generated group with Sq = {g^ 1 , ■ ■ ■ > 9k l } being 
its set of generators. Assume that x G G is generated as a product, 
x = X\ - ■ -x n , where each X{ G Sq is chosen at random according to 
some nontrivial (e.g., uniform) distribution on So- Assume further that 
w G G is chosen in a way independent of x, and that x, w are unknown, 
but z = xw G G is known. Suppose that there is a "length function" 
£(g) on the elements of G, such that with a nontrivial probability, 

e(x^z) < £( z ) < e(xjz) 

for each Xj ^ x± . To retrieve x, we can try to "peel off" the generators 
that compose it, one by one, using the following procedure. 

Algorithm 1 (Length-based attack). 
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(1) Let j <— 1 and y <— z. 

(2) For each g G Sq compute g^y. 

(3) Consider the h G Sq that minimizes £(h~ 1 y). (If several such 
/i's exist, choose one arbitrarily or randomly). 

(4) (a) If j = n, terminate. 

(b) Otherwise, Let hj <— h, j <— j + 1 and y <— h~ x y and return 
to step [2j 

If £ is a good length function, then in step (J3]), with some nontrivial 
probability, h = x\ (or at least y can be rewritten as a product of n or 
fewer generators, where h is the first). It follows that with a nontrivial 
(though smaller) probability, x = hih 2 ■ ■ ■ h n after termination. 

Instead of assuming that n is known, we can assume that there is 
a known, reasonably sized, bound N on n, and then terminate the 
run after iV steps and consider it successful if for some k < N, x = 
hi ■ /12 • ■ ■ hk- This way, we obtain a short list of N candidates for x. In 
many practical situations each suggestion for a solution can be tested, 
so this is equally good. 

In this algorithm, as well as in the ones that follow, the decisions are 
soft in the sense that if an incorrect generator is chosen at some stage, 
this may be repaired later if a generator that cancels it out (using the 
group relations) is chosen. 

However, in practice the known length functions in many types of 
groups are not good enough for Algorithm [1] to succeed with noticeable 
probability. This is shown in [1], and is demonstrated further by the 
Shpilrain-Ushakov key agreement protocol. 

3. The Shpilrain-Ushakov Key agreement Protocol 
This section is entirely based on 

3.1. Thompson's group. Thompson's group F is the infinite non- 
commutative group defined by the following generators and relations: 

(1) F = { x ,x 1 ,x 2 ,... | x~ l x k Xi = x k+ i (k>i) ) 

Each w G F admits a unique normal form [3] which has the following 
structure: 

n I I if* ... 'Y* f¥* . . . 

where i\ < ■ ■ ■ < i r , j\ < • ■ ■ < j t , and if Xi and x~ x both occur in this 
form, then either Xi+\ or x^i occurs as well. The transformation of 
an element of F into its normal form is very efficient: Starting with a 
word w of length n, the number of required operations is bounded by 
a small constant multiple of nlogn 
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Definition 1. The normal form length of an element w G F, £nf(w), 
is the number of generators in its normal form: If the normal form of 
w is x h ■ ■ ■ x ir x~l ■ ■ ■ x" 1 , then £ N f(w) = r + t. 

3.2. The protocol. 

(0) Alice and Bob agree (publicly) on subgroups A, B, W of F, such 
that ab = ba for each a G A and each b G B. 

(1) A public word w G W is selected. 

(2) Alice selects privately at random elements ai G A and b\ G B, 
computes u\ = aiwbi, and sends u\ to Bob. 

(3) Bob selects privately at random elements a 2 G A and 6 2 G B, 
computes u 2 = b 2 wa 2 , and sends u 2 to Alice. 

(4) Alice computes Ka = a>\U 2 b\ = aib 2 wa 2 bi, whereas Bob com- 
putes Kb = b 2 u\a 2 = b 2 a\wb\a 2 . 

As a\b 2 = b 2 a\ and 02^1 = b\a 2l Ka = Kb and so the parties share the 
same group element, from which a secret key can be derived. 

3.3. Settings and parameters. Fix a natural number s > 2. Let 
S A = {a^r 1 ; • • • j ^o^ 1 }' s b = {x s +i, x 2s } and S w = {x , x s+2 } 
Denote by A, B, and W the subgroups of F generated by Sa, Sb, and 
Sw, respectively. A and B commute elementwise, as required [TT] . 

Let L be a positive integer. The words a±,a 2 G A, 61,62 G B, and 
w & W are all chosen of normal form length L, as follows: Let X be A, 
B, or VK. Start with the empty word, and multiply it on the right by a 
(uniformly) randomly selected generator, inverted with probability ~, 
from the set Sx- Continue this procedure until the normal form of the 
word has length L. 

For practical implementation of the protocol, it is suggested in [TT] 
to use s G {3, 4, . . . , 8} and L G {256, 258, . . . , 320}. 

4. Success rates for the basic length attack 

The cryptanalyst is given w,Ui,u 2 , where u\ = aiwb\ and u 2 = 
b 2 wa 2 . This gives rise to 4 equations: 

U\ = a\wb\ 
u 2 = b 2 wa 2 
u^ 1 = 6^ 1 u» _1 a^ 1 

He can apply Algorithm [1] to each equation, hoping that its leftmost 
unknown element will appear in the resulting list of candidates. Note 
that even a single success out of the 4 runs suffices to find the shared 
key. 
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Here n, the number of generators multiplied to obtain each element, 
is not known. We took the bound 2L on n, as experiments show that 
the success probability does not increase noticeably when we increase 
the bound further. This is the case in all experiments described in this 
paper. 

Experiments show that the success probability of finding a\ given 
aiwbi is the same as that of finding a^ 1 given w^b^ 1 , that is, 
the usage of the same w in both cases does not introduce noticeable 
correlations. A similar assertion holds for 6 2 and frf . We may therefore 
describe the task in a compact manner: 

Given awb, try to recover either a or b. 
The probabilities p a ,Pb of successfully recovering a and b (respectively) 
induce the total success rate by 1 — (1 — p a ) 2 (l — Pb) 2 - 

The attack was tested for the minimal recommended value s = 3, 
and for the cut-down lengths L <G {4, 8, ... , 128}. (Each attack in this 
paper was tested against at least 1000 random keys, in order to evaluate 
its success rates.) 

The results, presented in Table [TJ show that this is not a viable 
attack: The recommended parameter is L > 256, and already for L = 
128 the attack failed in all of our tries. 

Table 1. Success rates for the basic length attack (s = 3) 



L 


a recovery 


b recovery 


Total 


4 


88.4% 


82.6% 


99.96% 


8 


62.3% 


56.2% 


97.3% 


16 


29.1% 


26.9% 


73.1% 


32 


10.2% 


8.2% 


32% 


64 


0.9% 


1% 


3.7% 


128 


0% 


0% 


0% 



5. Using memory 

To improve the success rates, it was suggested in [5] to keep in mem- 
ory, after each step, not only the element that yielded the shortest 
length, but a fixed number M > 1 of elements with the shortest lengths 
among all tested elements. Then, in the next step, all possible exten- 
sions of each one of the M elements in memory with each one of the 
generators are tested and again the best M elements among them are 
kept (see [5] for a formal description of this algorithm). 

The time and space complexities of this attack increase linearly with 
M. The previous length-based attack is the special case of the memory 
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attack, where M = 1. Except for pathological cases, the success rates 
increase when M is increased. See [5] for more details. 

We have implemented this attack against the minimal recommended 
parameters s = 3, L = 256, and with each M e {4, 16, 64, 256, 1024}. 
The success rates appear in Table [2j 

Table 2. Success rates for the basic length attack with 
memory (s = 3, L — 256) 



M 


a recovery 


b recovery 


Total 


< 64 


0% 


0% 


0% 


256 


1.5% 


0.1% 


3.2% 


1024 


5.7% 


0.1% 


11.3% 



We see that M must be rather large in order to obtain high success 
rates. The experiments in [5] yielded much higher success rates for 
braid groups. The reason for this seems to be that the length-based 
approach is more suitable for groups which have few relations (i.e., 
are close to being free) [I], whereas here the underlying groups have 
many relations. The next section shows how to partially overcome this 
problem. 

6. Avoiding repetitions 

During the run of the algorithm described in the previous section, 
we keep a hash list. Before checking the length score of an element, we 
check if it is already in the hash list (i.e., it has been considered in the 
past). If it is, we drop it from the list of candidates. Otherwise, we 
add it to the hash list and proceed as usual. 

In the case M = 1, this forces the algorithm not to get into loops. 
Thus, this improvement can be viewed as a generalization of avoiding 
loops to the case of arbitrary M. 

6.1. Results. The results for s = 3, L = 256 are summarized in Table 

El 

It follows that our improvement is crucial for the current system: 
Compare 50% for M = 1024 in Table H to the 11% for the same M 
obtained in Table [2] before we have discarded repetitions. 

A success rate of 50% should be considered a complete cryptanalysis 
of the suggested cryptosystem. We will, however, describe additional 
improvements, for two reasons. 
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Table 3. Success rates for repetition- free memory at- 
tack (s = 3, L = 256) 



M 


a recovery 


b recovery 


Total 


4 


0% 


0% 


0% 


16 


2.3% 


1.1% 


6.6% 


64 


10.8% 


2.3% 


24% 


256 


14.3% 


3.8% 


32% 


1024 


20.4% 


11% 


49.8% 



Generality. The Shpilrain-Ushakov cryptosystem is just a test case for 
our algorithms. Our main aim is to obtain generic algorithms that will 
also work when other groups are used, or when Thompson's group is 
used in a different way. 

Iterability. As pointed out by Shpilrain |10j . there is a very simple fix 
for key agreement protocols that are broken with probability less than 
p: Agree on k independent keys in parallel, and XOR them all to obtain 
the final shared key. The probability of breaking the shared key is at 
most p k . In other words, if a system broken with probability po or 
higher is considered insecure, and k parallel keys are XORed, then the 
attack on a single key should succeed in probability at least p l J k ' . If we 
consider a parallel agreement on up to 100 keys practical, and require 
the probability of breaking all of them to be below 2~ 64 , then we must 
aim at a success rate of at least 2 _64//100 « 64%. For po = 2~ 32 , we 
should aim at 80%. 

7. Interlude: Memory is better than look-ahead 

An alternative extension of the basic attack is obtained by testing 
in each step not just the 2k generators in Sq, but all the (2/c)' t-tuples 
of generators g, 1 ■ ■ ■ g { \ After computing the length of each of the 
peeled-off results, one takes only the first generator of the leading t- 
tuple, and repeats the process. This is called look-ahead of depth t 
[5J H]. The complexity of this approach grows exponentially with t. 

In order to compare this approach with the memory approach, we 
should compare attacks using roughly the same number of operations. 
The products of all possible t-tuples can be precomputed, so that each 
step requires [2k) 1 group multiplications. In the memory attack, each 
step requires M ■ 2k group multiplications. Thus, look-ahead of depth 
t should be compared to M = (2fc) <_1 . 
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7.1. Results. The look-ahead attack was tested for s = 3, L = 256. 
We tried t G {2,3,4}, which correspond to M G {6,6 2 ,6 3 }, respec- 
tively. The results are presented in Table HI For t = 3,4, we have also 
tried the intermediate approach where a look-ahead of depth t — i is 
performed (i = 1, 2) for each member of the list and M = (2k) 1 . 

Table 4. Success rates for look-ahead LA, memory at- 
tack M, and combined M&LA (s = 3, L = 256) 





a recovery 


b recovery 


Total 


t M t,M 


LA 


M 


LA 


M 


LA 


M 


M&LA 


2 6 


0% 


0.1% 


0% 


0.6% 


0% 


1.4% 




3 36 2,6 


0.1% 


7.4% 


0.1% 


3.6% 


0.4% 


20.3% 


6.8% 


4 216 2,36 


1.4% 


16.8% 


0.8% 


8.3% 


4.3% 


41.8% 


31.2% 


3,6 














14.4% 



It follows that increasing M is always better than using look-ahead 
of similar complexity. This was also observed in [4J [5] for other settings. 

8. Automorphism attacks 

Recall our problem briefly: G = (So), where Sq = {gf 1 , ■ ■ ■ ^g^ 1 }- 
x,w G G are unknown and chosen independently, and z = xw G G is 
known. We wish to find (a short list containing) x. Write x = h\ • • • h n . 

Let ip be an automorphism of G. Applying (p, we have that ip(z) = 
(p(x)ip(w), and <p(x) = (p(hx) • • ■ ip(h n ) . This translates the problem 
into the same group generated differently: G = (<p(Sg)), where <f(Sa) = 
{{p^gi)^, . . . , (p^gk)^ 1 }. Solving the problem in this group to find <p(x), 
gives us x. 

Solving the problem in the representation of G according to ip is 
equivalent to solving the original problem with the alternative length 
function 

^H=%H). 

Indeed, 

l( v { gi ) ±l v{x) V {w)) = i&igfxw)) = ^(gt'xw). 

It could happen that a certain key which is not cracked by a given 
length attack using a length function £, would be cracked using 

If we choose tp at "random" (the canonical example being an inner 
automorphism (p(w) = g~ l wg for some "random" g), we should expect 
smaller success rates, but on the other hand the introduced randomness 
may be useful in one of the following ways. Let $ be a finite set of 
automorphisms of G. 
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Average length attack. We can take the average length 

If the elements tp of $ are chosen independently according to some 
distribution, then 

lim 40) = E(£ v (w)), 

where the expectancy is with regards to the distribution of the chosen 
elements (p. This approach should be useful when the length func- 
tion £e(w) = E^l^iw)) is good. This would be the case if there are 
only weak correlations between the different length functions: Roughly 
speaking, if there are weak correlations between the different length 
functions and for a random <p the probability of getting a correct 
generator is some p with e = p — (1 — p) > 0, then for |$| = 0(l/e 2 ), 
a correct generator will get the the shortest average length almost 
certainly 

Multiple attacks. Write $ = {ipi, . . . , ip m }- We can attack the key using 
If we fail, we attack the same key again using £ V2 , etc. Here too, if 
there are weak correlations between the different length functions and 
|$| is large, then we are likely to succeed. 

In the case of Thompson's group F, the family of automorphisms 
is well understood (they are all conjugations by elements of some well 
defined larger group) [2] • However, since we are interested in "generic" 
attacks, we considered only inner automorphisms. 

8.1. Results. All experiments were run for parameters s = 3, L = 256 
and without memory extensions (M = 1). All conjugators defining 
the inner automorphisms were random elements of length 64. The 
complexity of the two described attacks is similar to that of the memory 
attack with M — |$|. 

Average length attack. We tried the average length attack with |$| e 
{4,16,64,256,1024}. Not a single one of the experiments was suc- 
cessful. This implies either that the correlation between the different 
length functions is rather high or that the actual success probability 
for a given length function is very low. 

Multiple attacks. The success rates appear in Table [51 

While an improvement is observed, it is also seen that there re- 
main substantial correlations and the success rate does not increase 
fast enough when |$| is increased. Comparing the results to those in 
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Table 5. Success rates for the multiple attack (s = 
3,L = 256) 





$ 




a recovery 


b recovery 


Total 




4 




0.1% 


0% 


0.2% 




16 


0.9% 


0% 


1.8% 




64 


2.2% 


0% 


4.4% 


256 


2.2% 


0% 


4.4% 


1024 


2.5% 


0% 


4.9% 



Table [3j we see that in the current setting, increasing the memory is 
far better than using many automorphisms. 

9. Alternative solutions 

Thus far, we have concentrated on the problem: Given w and awb, 
find the original a, or rather, a short list containing a. But as Shpilrain 
and Ushakov point out [12], it suffices to solve the following problem. 

Problem 1 (Decomposition). Given w G F and u = awb where a G A 
and b G B, find some elements a G A and b G B, such that awb = awb. 

Indeed, assume that the attacker, given U\ = aiwb\, finds a\ G A 
and b\ G B, such that aiwb\ = a-^wbi. Then, because u 2 = b 2 wa 2 is 
known, the attacker can compute 

CLiu 2 bi = aib 2 wa 2 b\ = b 2 a\wb\a 2 = b 2 u\a 2 = Kb, 

and similarly for b 2 wa 2 . 

Consider Problem [TJ To each a G A we can compute its complement 
b = w~ l a~ l u = w~ 1 a~ 1 (awb), such that awb = awb. The pair a,b is 
a solution to this problem if, and only if, b G B. A similar comment 
applies if we start with b G B. This involves being able to determine 
whether b G B (or a G A in the second case). This membership decision 
problem turns out to be trivial in our case. 

A is exactly the set of all elements in F, whose normal form is of the 
type 

A n • • • X t m - L j m ■ ■ ■ x j 1 5 
i.e., positive and negative parts are of the same length, and in addition 
if. — k < s and jk ~ k < s for every k = 1, . . . ,m. B consists of 
the elements in F, whose normal form does not contain any of the 
generators xq, xi, . . . , x s (or their inverses) [11]. In both cases, the 
conditions are straightforward to check. 

Following is an algorithm for solving Problem [TJ which incorporates 
the new flexibility into the halting rule. 
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Algorithm 2 (Alternative solution search). 

(1) Execute Algorithm [1] (with any of the introduced extensions), 
attempting to recover a. 

(2) For each candidate (prefix) a encountered during any step of 
the algorithm, compute the complement b = w~ 1 a~ 1 u. 

(3) UbeB, halt. 

Note that if the algorithm halts in step ([3]), then a, b is a solution for 
the decomposition problem. 

The above procedure can be executed separately for each of the four 
given equations. It suffices to recover a single matching pair in any of 
the four runs to effectively break the cryptosystem. 

9.1. When the group membership problem is hard. It should be 
stressed that solving the group membership is not necessary in order 
to cryptanalyze the system. Indeed, given u\ = aiwbi and u 2 = &2wa 2 , 
we can apply Algorithm [2] to, e.g., u\ = aiiubi, replacing its step Q 
by checking whether the suggested key era 2 fe succeeds in decrypting 
the information encrypted between Alice and Bob. Our experiments 
showed that for all reasonable parameters, this formally stronger attack 
has the same success rates. However, this alternative approach is useful 
in other groups, in which the membership problem is difficult. 

9.2. Results. We have repeated all major experiments for s = 3, L = 
256, but this time considered each alternative solution a success. We 
consider only the repetition-free versions of the attacks, as they are 
much more successful. 

Average automorphism attack. While being substantially better than 
the 0% reported in Section IHTfl before allowing alternative solutions, the 
results here are still not satisfactory: For all |$| G {4, 16, . . . , 1024}, 
the average rates were close to 17%. This suggests that in this setting, 
the average length converges to the expected length very quickly. 

Multiple attack. The success rates for the multiple attack (page [9]) are 
quite good when alternative solutions are accepted, as shown in Table 
El 

It is observed, though, that no significant improvement is obtained 
when moving from |$| = 256 to 1$! = 1024 (what looks in the table 
like a drop in the probability is probably a statistical fluctuation, but 
it still shows that the real probability does not increase substantially). 
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Table 6. Success rates for the multiple attack (s = 
3,L = 256) 





$ 




a recovery 


b recovery 


Total 




4 


7.1% 


13.7% 


35.7% 




16 


11.3% 


20.4% 


50.1% 




64 


11.5% 


23.3% 


53.9% 


256 


16.7% 


24.5% 


60.4% 


1024 


14.5% 


20.2% 


53.4% 



Memory attack. This attack, which corresponds to Section 16.11 but al- 
lows alternative solutions, gives the best results on the studied case. 
We have tried it against the minimal suggested parameters (s = 3, L = 
256), as well as the maximal suggested parameters (s = 8, L = 320). 
The results appear in Table CD 



Table 7. Success rates for memory attack with alterna- 
tive solutions 





s = 


3,L = 


256 


s = 


8,L = 


320 


M 


a 


b 


Total 


a 


b 


Total 


1 


9.3% 


5.3% 


26.2% 


8.0% 


6.1% 


25.4% 


4 


12.1% 


7.4% 


33.7% 


10.9% 


10.9% 


37.0% 


16 


15.6% 


10.9% 


43.4% 


11.3% 


11.5% 


38.4% 


64 


27.8% 


14.7% 


62.1% 


17.3% 


13.1% 


48.4% 


256 


35.8% 


20.1% 


73.7% 


18.0% 


15.3% 


51.8% 


1024 


41.5% 


25.0% 


80.7% 


22.2% 


14.5% 


55.8% 



Note that for s = 3, L = 256, we have that M = 16 with alternative 
solution search gives success rates almost equal to those of M = 1024 
(which is 64 times slower) without it, and that M = 1024 with alter- 
native solution search results in success rate of about 80%. 

It is also interesting to observe that while increasing the parameters 
reduces the success rates, the success rates are significant even when 
the maximal recommended parameters are taken. 

Based on Table [7J we conclude that the Shpilrain-Ushakov cryptosys- 
tem is broken, even if iterated up to one hundred times. 

10. Conclusions 

We have described several improvements on the standard length 
based attack and its memory extensions. They include: 
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(1) Avoiding repetitions, which is especially important in groups 
such as Thompson's group F, that are far from being free; 

(2) Attacking each key multiple times, by applying each time a ran- 
dom automorphism, or equivalently taking the length function 
induced by such automorphisms; 

(3) Looking for alternative solutions which are not necessarily the 
ones used to generate the equations. 

We have tested these improvements against the Shpilrain-Ushakov cryp- 
tosystem, and in this case each of them increased the success proba- 
bility substantially, with ([I]) being somewhat better than (T5]), and ([3]) 
being a useful addition to any of these. It could be that for other 
cryptosystems, ([2]) will prove to be better than ([1]). 

The important advantage of our approach is that it is generic and can 
be easily adjusted to any cryptosystem based on a group that admits 
a reasonable length function on its elements. As such, we believe that 
no cryptosystem leading to equations in a noncommutative group can 
be considered secure before tested against these attacks. 

It is a fascinating challenge to find an alternative platform group 
where the attacks presented here fail. Such a platform may exist, and 
the methods presented here should be useful for dismissing many of 
the insecure candidates. 

Acknowledgements. We thank Francesco Matucci for his useful com- 
ments on this paper. 
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